-
Enhancement
-
Resolution: Won't Fix
-
P4
-
None
-
1.4.1
-
None
-
generic
-
generic
Copied from 4531698:
===
2) It would be nice if our LDAPCertStore.getCertificates() implementation
was enhanced to
find certificates when the specified X509CertSelector contains a
subjectAlternativeName criterion with an RFC822 email address (and a
null subject criterion). The
implementation should search the directory for
DN entries containing the "mail" attribute with the specified RFC822 email
address and then return certificates in that entry with SubjectAltName
extensions containing the
specified email address. This would be especially useful for S/MIME
applications, and would
allow the CertPathBuilder to build a path to a target certificate when
the subject's email address, but not the subject DN is known. This is
a common usage case in S/MIME when the relying party wants to send an
encrypted email to someone but doesn't have their certificate and
only knows their email address.
3) The reverse builder uses the target subject name for deciding
which certificates are most promising and ensuring that prospective CA
certificates don't contain name constraints that would prohibit the
desired target subject. This optimization should be done only if a
non-null subject DN is set. (I think it is simply a matter of checking
if selector.getSubjectAsBytes() == null in ReverseBuilder.java)
===
Note that LDAPCertStoreParameters currently do not include a baseDn, which would make searches via email address somewhat inefficient. An API change may be in order.
As explained in the evaluation for 4531698, (3) is currently not a real issue but may become one if (2) is implemented. Therefore, that text is duplicated here.
===
2) It would be nice if our LDAPCertStore.getCertificates() implementation
was enhanced to
find certificates when the specified X509CertSelector contains a
subjectAlternativeName criterion with an RFC822 email address (and a
null subject criterion). The
implementation should search the directory for
DN entries containing the "mail" attribute with the specified RFC822 email
address and then return certificates in that entry with SubjectAltName
extensions containing the
specified email address. This would be especially useful for S/MIME
applications, and would
allow the CertPathBuilder to build a path to a target certificate when
the subject's email address, but not the subject DN is known. This is
a common usage case in S/MIME when the relying party wants to send an
encrypted email to someone but doesn't have their certificate and
only knows their email address.
3) The reverse builder uses the target subject name for deciding
which certificates are most promising and ensuring that prospective CA
certificates don't contain name constraints that would prohibit the
desired target subject. This optimization should be done only if a
non-null subject DN is set. (I think it is simply a matter of checking
if selector.getSubjectAsBytes() == null in ReverseBuilder.java)
===
Note that LDAPCertStoreParameters currently do not include a baseDn, which would make searches via email address somewhat inefficient. An API change may be in order.
As explained in the evaluation for 4531698, (3) is currently not a real issue but may become one if (2) is implemented. Therefore, that text is duplicated here.
- relates to
-
-
- Resolved
-
-
-
- Closed
-